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Abstract. We give an incremental, inductive (ICS) procedure to check 
coverability of well-structured transition systems. Our procedure gener- 
alizes the ICS procedure for safety verification that has been success- 
fully applied in finite-state hardware verification to infinite-state well- 
structured transition systems. We show that our procedure is sound, 
complete, and terminating for downward-finite well-structured transition 
systems — where each state has a finite number of states below it — a 
class that contains extensions of Petri nets, broadcast protocols, and 
lossy channel systems. 

We have implemented our algorithm for checking coverability of Petri 
nets. We describe how the algorithm can be efficiently implemented 
without the use of SMT solvers. Our experiments on standard Petri 
net benchmarks show that ICS is competitive with state-of-the-art im- 
plementations for coverability based on symbolic backward analysis or 
expand-enlarge-and-check algorithms both in time taken and space us- 
age. 

1 Introduction 

The ICS algorithm [3j was recently introduced as an efficient technique for safety 
verification of hardware. It computes an inductive invariant by maintaining a 
sequence of over-approximations of forward-reachable states, and incrementally 
strengthening them based on counterexamples to inductiveness. The counterex- 
amples are obtained using a backward exploration from error states. Efficient 
implementations of the procedure show remarkably good performance on hard- 
ware benchmarks [Q. 

A natural direction is to extend the ICS algorithm to classes of systems 
beyond finite-state hardware circuits. Indeed, an ICS-like technique was recently 
proposed for interpolation-based software verification [5^ , and the technique was 
generalized to finite-data pushdown systems as well as systems using linear real 
arithmetic |15j . Hoder and Bj0rner show that their generalized ICS procedure 
terminates on timed pushdown automata |15| . and it is natural to ask for what 
other classes of infinite-state systems does ICS form a decision procedure for 
safety verification. 

In this paper, we consider well-structured transition systems (WSTS) |lll2j . 
WSTS are infinite-state transition systems whose states have a well-quasi order, 
and whose transitions satisfy a monotonicity property w.r.t. the quasi-order. 
WSTS capture many important infinite-state models such as Petri nets and their 



monotonic extensions |llj4|7|l5] . broadcast protocols |9|10] . and lossy channel 
systems [2]. A general decidability result shows that the coverability problem 
(reachability in an upward-closed set) is decidable for WSTS [T. The decidabil- 
ity result performs a backward reachability analysis, and shows, using properties 
of well-quasi orderings, that the reachability procedure must terminate. In many 
verification problems, techniques based on computing inductive invariants out- 
perform methods based on backward or forward reachability analysis; indeed, 
ICS for hardware circuits is a prime example. Thus, it is natural to ask if there 
is a ICS-style decision procedure for coverability analysis for WSTS. 

We answer this question positively. We give a generalization of ICS for WSTS, 
and show that it terminates on the class of downward- finite WSTS, in which each 
state has a finite number of states lower than itself. The class of downward-finite 
WSTS contains the most important classes of WSTS used in verification, in- 
cluding Petri nets and their extensions, broadcast protocols, and lossy channel 
systems. Hence, our results show that ICS is a decision procedure for the cover- 
ability problem for these classes of systems. While termination is trivial in the 
finite-state case, our technical contribution is to show, using the termination of 
the backward reachability procedure, that the sequence of (downward closed) 
invariants produced by ICS is guaranteed to converge. We also show that the 
assumption of downward-finiteness is necessary: we give a (technical) example 
of a general WSTS on which the algorithm does not terminate. 

We have implemented our algorithm in a tool called IIC to check coverability 
in Petri nets. Using combinatorial properties of Petri nets, we derive an opti- 
mized implementation of the algorithm that does not use an SMT solver. Our 
implementation shows that IIC outperforms several state-of-the-art implemen- 
tations of coverability |lSll6j on a set of Petri net examples, both in space and 
in time requirements. For example, on a set of standard Petri net examples, we 
outperform implementations of EEC and backward reachability, often by orders 
of magnitude. 

2 Preliminaries 

Well-quasi Orders For a set X, a relation X x X is a well- quasi- order (wqo) 
if it is refiexive, transitive, and if for every infinite sequence xq, xi , . . . of elements 
from X, there exists i < j such that Xi < Xj. A set Y (1 X is upward-closed if for 
every y and x ^ X,y ^ x implies x . Similarly, a set Y CI X is downward- 
closed if for every y €Y and x € X , x < y implies x €Y . For a set y , by F f we 
denote its upward closure, i.e., the set {x \ 3y €Y,y < x}. For a singleton {x}, 
we simply write x'\ for {a;}t- Similarly, we define Y \, — {x \ 3y £Y,x :< y} for 
the downward closure of a set Y. Clearly, Ff (resp., Y ],) is an upward-closed 
set (resp. downward-closed) for each Y . The union and intersection of upward- 
closed sets are upward-closed, and the union and intersection of downward-closed 
sets are downward-closed. Furthermore, the complement of an upward-closed set 
is downward-closed, and the complement of a downward-closed set is upward- 
closed. For the convenience of the reader, we will mark upward-closed sets with a 



small up-arrow superscript, like this: C/^, and downward-closed sets with a small 
down-arrow superscript, like this: D'^. 

A basis of an upward-closed set F is a set C F such that Y — Uj,e Yb ^ t- 
It is known [1411112] that any upward-closed set F in a wqo has a finite basis: 
the set of minimal elements of Y has finitely many equivalence classes under 
the equivalence relation ^ n ^, so take any system of representatives. We write 
min Y for such a system of representatives. Moreover, it is known that any non- 
decreasing sequence /q ^ A ^ • ■ • of upward-closed sets eventually stabilizes, 
i.e., there exists fc € N such that If^ = Ik+i = Ik+2 = ■ ■ ■■ 

A wqo {X, :<) is downward-finite if for each x € X, the downward closure x]. 
is a finite set. 

Examples: Let N*"' be the set of /c-tuples of natural numbers, and let ^ be 
pointwise comparison: v ^ v' ii v-i ^ v[ for i ~ l,...,fc. Then, (N*^,^) is a 
downward-finite wqo 

Let A be a finite alphabet, and consider the subword ordering < on words 
over A, given hy w ^ w' for w^w' & A* \i w results from w' by deleting some 
occurrences of symbols. Then {A* is a downward-finite wqo [H]. 

Well- structured Transition Systems A well-structured transition system (WSTS) 
(Z",/,— consists of a set S of states, a finite set J C 17 of initial states, a 
transition relation — >C x 17, and a well-quasi ordering i7 x i7 such that 
for all Si, 52)^1 € S such that Si — >■ S2 and Si -< ti there exists t2 such that 
ti^*t2 and S2 :< t2- A WSTS is downward-finite if (17, <) is downward-finite. 

Let x,y G 17. If a; — > y, we call x a predecessor of y, and y a successor 
of X. We write pre(a;) {y \ y ~> x} for the set of predecessors of x, and 
post(a;) {y \ X ^ y} for the set of successors of x. For X C pre(X) 
and post(X) are defined as natural extensions, i.e., pre{X) = [J^^x pre(a;) and 
post(X) = U^g_y post(a;). 

We write x —?>*'' y if there are states Xq, . . . , G i7 such that Xq = x, Xk = y 
and Xi — > Xi+i for < i < k. Furthermore, x — >■* y iff there exists a fc ^ such 
that X — ?>'^ y, i.e., — >* is the refiexive and transitive closure of — ?>. We say that 
there is a path from x to y of length k if x —>■*'' y, and that there is a path from 
a; to y if a; y. 

The set of k-reachable states Reach^ is the set of states reachable in at most 
k steps, formally, Reach^ := {y £ E \ 3k' < k,3x € I,x — >-'^ y}. The set of 
reachable states Reach :— Reach^ — {y \ 3x £ I,x y}. Using down- 

ward closure, we can define the k-th cover Covers and the cover Cover of the 
WSTS as Coverfc :— ReachfeJ, and Cover := Reach |. The coverability problem for 
WSTS asks, given a WSTS (£',/,->, ^) and a downward-closed set P^, if every 
reachable state is contained in P^, i.e., if Reach C P^. It is easy to see that this 
question is equivalent to checking if Cover C P^. 

In the following, we make some standard effectiveness assumptions on WSTS 
|lll2j . We assume that < is decidable, and that for any state x £ S, there is a 
computable procedure that returns a finite basis for pre(a;t)- These assumptions 
are met by most classes of WSTS considered in verification [12] . 



Under the preceding effectiveness assumptions, one can show that the cover- 
ability problem is decidable for WSTS by a backward-search algorithm The 
main construction is the following sequence of upward-closed sets: 

U^o ■■= S\P^ , U^i+i := U^, U pre(U^,) . (BackwardReach) 

It is easy to see that the sequence of sets U^i forms an increasing chain of upward- 
closed sets, therefore it eventually stabilizes: there is some L such that U^l = 
U^L+i for all i > 0. Then, Cover C iff / n U^l = 0- Moreover, if / n U^l = 0, 
then U\ W^L contains I, is contained in and satisfies post(Z'\ l) ^ ^\ U^l. 

We generalize from S \ U^l, in the style of inductive invariants for safety 
verification, to the notion of an (inductive) covering set. A downward-closed 
set is called a covering set for iff (a) / C C"^, (b) C P^, and (c) if 
post(C"^) C C^. By induction, it is clear that Cover C C for any covering 
set C^. Therefore, to solve the coverability problem, it is sufficient to exhibit any 
covering set. 

3 ICS for Coverability 

We now describe an algorithm for the coverability problem that takes as input a 
WSTS {X!, I, — >, :<) and a downward-closed set P^, and constructs either a path 
from some state in / to a state not in P^ (if Cover % P^), or an inductive covering 
set for P^. In the algorithm we consider sets that are not necessarily inductive 
by themselves, but they are inductive relative to some other sets. Formally, for 
a set such that / C P^, a downward-closed set is inductive relative to 
\i I <Z and post(P^ P^S^) C 5*^. An upward-closed set is inductive relative 
to R^ if its downward-closed complement S\U^ is inductive relative to P^, i.e. 
if / n C/^ = and post(P^ \U^)CS\ W. 

It can be easily shown that the condition post(P^ n 5"-^) C S"^ is equivalent 
to pre(^ \ S^) n P"^ n S*"^ = 0. Stated in terms of an upward-closed set C/^, the 
equivalent condition is pre(?7^) n P"^ \ = 0. Since all these conditions are 
equivalent, we will use them interchangeably. 

3.1 Algorithm 

Figure [T] shows the algorithm as a set of non-deterministic state transition rules, 
similar to |T5]. A state of the computation is either the initial state Init, the 
special states valid and invalid that denote termination, or a pair R | Q defined 
as follows. 

The first component of the pair is a vector R of downward-closed sets, in- 
dexed starting from 0. The elements of R are denoted r\. In particular, we 
denote by Pg the downward closure of /, i.e., Pq — /|. These sets contain 
the successive approximations to the inductive covering set. The function length 
gives the length of the vector, disregarding Pq, i.e., length(PQ, . . . , R\^) = N. If 
it is clear from the context which vector is meant, we often abbreviate length(R) 



[ModelSyn] 



[Initialize] 




[DecideNondet] 



mmQ = (a, i) i>0 & G pre(at) n \ a t 



[Conflict] 



R I Q 1-^ R I g.PuSH({6, i - 1)) 
mmQ = {a,i) i>0 pre(at) PI \ a t = 6 G Geni_i(a) 



[Induction] 



R I Q 1-^ R[iit ^ \ I Q.PopMin 

= E \ {ri,i, . . . , ri,m} t 6 G Gcni(?"i,j) for some I < j < m 



[Valid] 



R I R[i?t ^ -Rt \ bt]tt\ I 
Rj = -RLi for some i < iV Ri, C 




Fig. 1. The rule system for a ICS-style algorithm for WSTS - generic version. The 
map Geni is defined in equation (ITJ. 



simply with N. We write R • X for the concatenation of the vector R with the 
downward closed set X: (i?^, . . . , R^^) ■ X = (_R^, . . . , X). 

The second component of the pair is a priority queue Q, containing elements 
of the form {a,i), where a € 17 is a state and i G N is a natural number. The 
priority of the element is given by i, and is called the level of the element. The 
statement (a, i) Cz Q means that the priority queue contains an element of the 
given form, while min Q — (a, i) means that the minimal element of the priority 
queue has the given form. Furthermore, Q.PopMin yields Q after removal of its 
minimal element, and Q.PuSH(a;) yields Q after adding element x. 

The elements of Q are states that lead outside of P^. Let (a, i) be an element 
of Q. Either a is a state that is in Ri and outside of P^, or there is a state b 
leading to P^ such that a e pre(6t)- Our goal is to try to discard those states 
and show that they are not reachable from the initial state, as Ri denotes an 
overapproximation of the states reachable in i or less steps. If an element of Q 
is reachable from the initial state, then Cover ^ P^. 

The state valid signifies that the search has terminated with the result that 
Cover C P^ holds, while invalid signifies that the algorithm has terminated with 
the result that Cover ^ P^. In the description of the algorithm, we will omit 
the actual construction of certificates and instead just state that the algorithm 
terminates with invalid or valid; the calculation of certificates is straightforward. 

The transition rules of the algorithm are of the form 



[Name] 



Ci ■■■Ck 



(Rule) 



a 1-^ a' 



and can be read thus: whenever the algorithm is in state a and conditions Ci-Ck 
are fulfilled, the algorithm can apply rule [Name] and transition to state a'. We 
write (J I— > ct' if there is some rule such that the algorithm applies the rule to go 
from a to cr'. We write i— ?►* for the reflexive transitive closure of H>. 

Let Inv be a predicate on states. When we say that a rule preserves the 
invariant Inv if whenever a satisfies Inv and conditions Ci to Ck are met, it also 
holds that a' satisfies Inv. 

Two of the rules use the map Gen^ : S 2^ . It yields those states that are 
valid generalizations of a relative to some set R^. A state 6 is a generalization 
of the state a relative to the set i?^, if & ^ a and 5t is inductive relative to i?^. 
Formally, 

Gen,(a) := {b \ 6 ^ a A fof n/ = A pre(6t) n i?^ \ = 0} (1) 

Finally, the notation R[i?|: R't]k=i ™eans that R is transformed by replacing 
i?^ by R'j. for each fc = 1, . . . , i, i.e., 

-f^[^t ^ R'k]k=l = (-^0' ^'i' • • ■ ' -^'ti ^i+n • • • J ^n)- 

We provide an overview of each rule of the calculus. [Initialize] The algorithm 
starts by defining the first downward-closed set Rq to be the downward closure 
of the initial state. 

[CandidateNondet] If there is a state a such that a E but at the same time it 
is not an element of we add (a, A^) to the priority queue Q. 
[DecideNondet] To check if the elements of Q are spurious counterexamples, we 
start by processing an element a with the lowest level i. If there is an element b 
in Rj_i such that b G pre(at), then we add {b, i — 1) to the priority queue Q. 
[ModelSyn] If the queue contains a state a from the level 0, then we have found 
a counterexample trace and the algorithm terminates in the state invalid. 
[ModelSem] Similarly, if the queue contains a state a such / n af 7^ 0, this is 
again a counterexample trace and the algorithm terminates in the state invalid. 
[Conflict] If none of predecessors of a state a from the level i is contained in Rf_i\ 
a t, then a belongs to a spurious counterexample trace and can be safely removed 
from the queue. Additionally, we update the downward-closed sets i?f , . . . , i?^ 
as follows: since the states in af are not reachable in i steps, they can be safely 
removed from all the sets R^, . . . ,Rj. Moreover, instead of af we can remove 
even a bigger set b'f, for any state b which is a generalization of the state a 
relative to R^^i, as defined in ([T]). 

[Induction] If for some state j- f that was previously removed from Rj, a set 
S \ ri,j t becomes inductive relative to Rj (i.e. post(i?j' n rij I) C nj 4-), none 
of the states in rij f can be reached in at most i + 1 steps. Thus, we can safely 
remove r^j f from well. Similarly as in [Conflict], we can even remove b^ 

for any generalization b e Geni(rij ). 

[Valid] If there is a downward-closed set R\ such that R^ = ^^t+i' algorithm 
terminates in the state valid. 



[Unfold] If the queue is empty and all elements of are in P^, we start with 
a construction of the next set R^^^^. Initially, R\f_^_i contains all the states, 
^N+i ~ append R^^i to the vector R. 

3.2 Soundness 

We first show that the algorithm is sound: if it terminates, it produces the right 
answer. If it terminates in the state invalid there is a path from an initial state 
to a state outside of P^, and if it terminates in the state valid then Cover C P^. 

We prove soundness by showing that on each state R | Q the following 
invariants are preserved by the transition rules: 

for all < i < AT (II) 
for alio <i<N (12) 
for all < i < TV (13) 
for allO<i<N (14) 

These properties imply R^ I) Cover^, that is, the region Ri provides an over- 
approximation of the i-cover. 

The first step of the algorithm (rule [Initialize]) results with the state I], \ 0, 
which satisfies ([l2|-([l4| trivially, and / C /| establishes The following 

lemma states that the invariants are preserved by rules that do not result in 
valid or invalid. For lack of space, full proofs are given in Appendix [X] 

Lemma 1. The rules [Unfold], [Induction], [Conflict], [CandidateNondet], and 
[DecideNondet] preserve (|lT]) - ( [l4| . 

By induction on the length of the trace, it can be shown that if In it H>* R | Q, 
then R | Q satisfies ( [IT| ) ~ ( [l4| . When Init n>* valid, there is a state R | Q such 
that Init i— !>+ R | Q i— ?> valid, and the last applied rule is [Valid]. To be able to 
apply [Valid], there is an i such that Pj = Pj^j^- 

We claim that R^ is an inductive covering set. This claim follows from the 
fact that (1) Pj C P^ by invariant (2) I C pj by invariant (|llj, and (3) 
post(i?j) C Rf_^_i = P\ by invariant ( [T2| . This claim proves the correctness of 
the algorithm in case Cover C P^: 

Theorem 1. [Soundness of coverabilityj Given a WSTS (Z",/,— >-,^) and a 
downward- closed set P^, if Initi-^* valid, then Cover C P^. 

We next consider the case when Cover ^ P^. The following lemma describes 
the structure of the priority queues used in the algorithm. 

Lemma 2. Let Init i->* R \ Q. If Q ^ 0, then for every (a, i) e Q, there is a 
path from a to some b E S \ P^ . 



IQR\ 
post(i?t) C 

Pj C P^ 



a G _Rjv n Do min Q = {a,i) i>0 b€ Dn-i+i R\.i b 

[Candidate] ■ — — [Decide] 



R I 1-^ R I (a,Ar) ' ' R 1 Q 1-^ R I Q.PuSH({6,i - 1)) 

Fig. 2. Rules replacing [CandidateNondet] and [DecideNondet] in Fig. [l] 

Theorem 2. [Soundness of uncoverability] Given a WSTS (S, /, — ^) and a 
downward- closed set P^, if Init^* invalid, then Cover % . 

Proof. The assumption I nit ^* invalid implies that there is some state R | Q 
such that Init i— >■* R | Q i—> invalid, and the last applied rule was either [ModelSyn] 
or [ModelSem]. In both cases Q 

If the last applied rule was [ModelSem], there is an (a, i) G Q such that 
ofn/ 7^ 0. By Lemma [2] there is a path from a to 6 G \ P^. Let a' G a\f\I. 
Since (r, /, -)•, <) is a WSTS, there is h' such that a' b' and b' >z b. The set 
E\P^ is upward-closed, and thus b' G S\P^. The path a' — >* fe' is a path from 
/ to \ P^^, proving that Cover g P^. 

If the last applied rule was [ModelSyn], then (a, 0) G Q. This implies a G 
Rq = 1 1, as i?Q is constant in the algorithm. Equivalently, afn/ ^ and we 
apply the same arguments as in the case for [ModelSem]. □ 

3.3 Termination 

While the above non-deterministic rules guarantee soundness for any WSTS, 
termination requires some additional choices. We modify the [DecideNondet] and 
[CandidateNondet] rules into more restricted rules [Decide] and [Candidate], while 
all other rules are unchanged. Figure |2] shows the new rules [Candidate] and 
[Decide]. These rules additionally use a sequence of sets Di. Intuitively, there can 
be infinitely many elements in \ P'^. Sets Di provide a finite representation 
of those elements. 



Recall the sequence U^i of backward reachable states from ( BackwardReach I . 
We define sets Di using sets U^i. The set Di captures all new elements that are 
introduced in U^i and that were not present in the previous iterations. Formally, 
we define sets Di as follows: 

Do := min(i; \ P^) A+i := IJ min(pre(at)) \ U^, . (2) 

aeD, 

By induction, and the finiteness of the set of minimal elements, we have that Di 
is finite for all i ^ 0. Further, assume that U^l = U^l+i- Then, Di = for all 
i > L. As a consequence, the set Ui>o finite. 

It is easy to show that the restricted rules still preserve the invariants ( [IT| ) - 
( [l4| , and thus the modified algorithm is still sound. From now, we focus on the 
modified algorithm. 

To show that the algorithm always terminates, we first show that the system 
can make progress until some final state is reached. 



Proposition 1 (Maximal finite sequences). Let Init = (Tq ai n- • • • ih> aK 

be a maximal sequence of states, i.e., a sequence such that there is no a' such 
that gk ^ c'. Then gx = valid or uk = invalid. 

We prove the termination of the algorithm by defining a well-founded order- 
ing on the tuples R | Q. 

Definition 1. Let — {Ai^ , . . . , A^^) and — {Bi^, . . . , Bn^) be two finite 
sequences of downward-closed sets of the equal length N. Define A'^ C B^^ iff 
Ai'^ C Bi'^ for all i = I,. . . ,N. Let Q be a priority queue whose elements are 
tuples {a,i) e x N, and let N be a natural number. Define £n{Q) •= min({j | 
(a, i) e Q} U {N + I}), to be the smallest priority in Q or N + I if Q is empty. 

For two states R | Q and R' | Q' , such length (R) = length (R') = N, we 
define the ordering <s as: 

R I g <, R' I Q' : ^ R C R' A (R = R' ^ £n{Q) < In{Q') 

and we write 'R.\Q<sIi'\Q'if'R.\Q<sIi'\Q'butIiT^Ii'orQ^Q'. 

Lemma 3 {<s is a well-founded quasi-order.). The relation <s is a well- 
founded strict quasi- ordering on the set (T>)* x Q, where V is a set of downward- 
closed sets over S, and Q denotes the set of priority queues over i7 x N. 

The following proposition characterizes infinite runs of the algorithm. The 
proof follows from the observation that if R | Q i-> R' | Q' as a result of applying 
the [Candidate], [Decide], [Conflict], or [Induction] rules, then R | Q >s R' | Q' . 

Proposition 2 (Infinite sequence condition). For every infinite sequence 
Init i-> (Ti I— > (72 I— > ■ ■ • , there are infinitely many i such that Ui i— ^ Ui+i by 
applying the rule [Unfold]. 

We first prove that the algorithm terminates for the case when Cover ^ P^. 

Lemma 4. Let {S , I, — >, ^) be a WSTS and a downward-closed set such 
that Covers n (Z" \ P^) ^ 0. For every sequence Init H> di H>* (Jn, there are at 
most k different values for i such that cji i— > Ui+i using the [Unfold] rule. 

Theorem 3. [Termination when Cover ^ P^] Given a WSTS (Z", /,—?►, ^) and 
a downward-closed set P^ , if Cover ^ P^ , then the algorithm terminates and all 
maximal execution sequences have the form Initt-^* invalid. 

Proof. Since Cover ^ P^, there is a state y E Cover \ P^. By the definition of 
Cover, there are states x' , y' such that x' € I,y' >y and x' — ^■'^ y' for some fc > 0. 
Because S\P^ is upward-closed, we have y' £ S\P^. Combining Lemma |4] and 
Proposition |2] we prove that the algorithm terminates. 

Let Init i— >* cr be a maximal execution. By Proposition [l] a = valid or cr = 
invalid. By Theorem [l] cr ^ valid. □ 

To prove that the algorithm terminates when Cover C P^, we use an addi- 
tional assumption: 



Apply [Valid] whenever it is applicable. 



(t) 



This is natural assumption: since the algorithm is used to decide the coverability 
problem and [Valid] answers the problem positively, choosing the [Valid] rule 
when it is applicable is the most efficient choice. The main argument for showing 
the termination will reduce to showing that, for downward-finite WSTS, we can 
generate only a finite number of different sets Rj, so [Valid] will be applicable 
at some point. The key combinatorial property of downward- finite wqos is as 
follows. 

Lemma 5. Let (S,^) be a downward-finite wqo and let D be a finite set. Con- 
sider a sequence i?o — — • ■ where each = E \ {r^^i, . . . , m. } f for 
ri_j e ZJJ,. Then there is A' G N such that Rk = Rk+i- 

Proof. By downward-finiteness, DJ, is finite. Hence, there are only a finite num- 
ber of different R^s we can construct, and the sequence must converge. □ 

Theorem 4. [Termination when Cover C P^] For a given downward-finite WSTS 
{S,I,~^,^) and a downward-closed set P^ , z/ Cover C P^ and the rule [Valid] 
is applied whenever possible, then the algorithm terminates and all maximal ex- 
ecution sequences have the form Initi-^* valid. 

Proof. Consider any execution sequence I nit h- > cti h- (T2 '-^ ■ ■ ■ ■ To show that 
it is finite, by Proposition [2] it is sufficient to show that there are only finitely 
many i such that ai i— >■ fTj+i via rule [Unfold]. Note that every time [Unfold] is 
applied, the length of the sequence R goes up. Consider the bound K obtained 
by applying Lemma Islto the finite set lJj>Q Di. After K applications of [Unfold], 
by Lemmajs] the [VaTid] rule applies. Since [Valid] is taken whenever it is applied, 
the sequence must terminate. By soundness, it must terminate in valid. □ 

Note that Theorem [4] is the only result that requires downward-finiteness 
of the WSTS. We show that the downward-finiteness condition is necessary. 
Consider a WSTS (N U {uj}, {0}, <), where a; j: + 1 for each a; e N and 
w — >■ oj, and ^ is the natural order on N extended with x ^ oj for all a; € N. 
Consider the downward closed set N. The backward analysis terminates in one 
step, since pre(a;) — {w}. However, the ICS algorithm need not terminate. After 
unfolding, we find a confiict since pre(w) — {uj}, which is not initial. Generalizing, 
we get i?i = {0, 1}. At this point, we unfold again. We find another confiict, and 
generalize to i?2 = {0, 1, 2}. We continue this way to generate an infinite sequence 
of steps without terminating. 

4 Coverability for Petri Nets 

Petri nets [II] are a widely used model for concurrent systems. They form a 
downward-finite class of WSTS. We now describe an implementation of our 
algorithm for the coverability problem for Petri nets. 



4.1 Petri Nets 

A Petri net (PN, for short) is a tuple (5, T, W), where S' is a finite set of places, 
T is a finite set of transitions disjoint from S, and W : {S x T) U {T x S) ^ N 
is the arc multiphcity function. 

The semantics of a PN is given using markings. A marking is a function from 
5* to N. For a marking m and place s G S*, we say s has m(s) tokens. 

A transition t S T is enabled at marking m, written m\t), if m(s) ^ W{s,t) 
for all s G 5*. A transition t that is enabled at m can fire, yielding a new marking 
m' such that m'(s) = m(s) — T4^(s,t) + W{t,s). We write m\t)m' to denote the 
transition from m to to' on firing t. 

A PN (S*, T, W) and an initial marking toq give rise to a WSTS {S, {mo}, — >■ 
, <) as follows. The set of states S is the set of markings. There is a single initial 
state toq. There is an edge to —> to' if there is some transition t € T such that 
m\t)m'. Finally, to ^ to' if for each s S 5, we have to(s) ^ to'(s). It is easy 
to check that the compatibility condition holds: if mi\t)m2 and toi ^ to'j^, then 
there is a marking TO2 such that 'mi\t)m2 and TO2 ^ TOj. Moreover, the wqo is 
downward- finite. The coverability problem for PNs is defined as the cover ability 
problem on this WSTS. 

We represent Petri nets as follows. Let S = {si, . . . , s„} be the set of places. 
A marking to is represented as the tuple of natural numbers (to(si), . . . , to(s„)). 
A transition t is represented as a pair (g,d) G N" x Z", where g represents 
the enabling condition, and d represents the difference between the number 
of tokens in a place if the transition fires, and the current number of tokens. 
Formally, (g, d) is defined as: 

d = iW{t, Si) - Wisi,t), W{t, Sn) - W{Sn, t)) . 

We represent upward-closed sets with their minimal bases, which are finite sets 
of n-tuples of natural numbers. A downward-closed set is represented as its 
complement (which is an upward-closed set). The sets i?^, which are constructed 
during the algorithm run, are therefore represented as their complements. Such 
a representation comes naturally as the algorithm executes. Originally each set 
r![ is initialized to contain all the states. The algorithm removes sets of states 
of the form b f from Rj, for some b G N". If a set b f was removed from Rj, we 
say that states in bf are blocked by b at level i. At the end every Rj becomes 
to a set of the form 2J \ {hi, . . . ,b;}t and we conceptually represent R^ with 
{bi,...,b,}. 

The implementation uses a succinct representation of R, so called delta- 
encoding 0. Let Rj = t and = S\B,+i f for some finite sets Bi and 
Bi+i. Applying the invariant ( [l3| yields C Bi. Therefore we only need to 
maintain a vector F = (Fq, . . . , F^, Fqo) such that b € if « is the highest level 
where b was blocked. This is sufficient because b is also blocked on all lower lev- 
els. As an illustration, for R\, R2) = ({ii, i2}, {bi, b2, b3,b4}, {b2, h^}), the 
matching vector F might be {Fq, Fi, F2, F^) = ({ii, is}, {bi, b4}, {b2, bg}, 0). 
The set F^o represents states that can never be reached. 



4.2 Implementation Details and Optimizations 

Our implementation follows the rules given in Figures [T] and [2] In addition, we 
use optimizations from |5]. The main difference between our implementation 
and [H] is in the interpretation of sets being blocked: in [S] those are cubes 
identified with partial assignments to boolean variables, whereas in our case 
those are upward-closed sets generated by a single state. Also, a straightforward 
adaptation of the implementation |B] would replace a SAT solver with a solver 
for integer difference logic, a fragment of linear integer arithmetic which allows 
the most natural encoding of Petri nets. However, we observed that Petri nets 
allow an easy and efficient way of computing predecessors and deciding relative 
inductiveness directly. Thus we were able to eliminate the overhead of calling 
the SMT solver. 

Testing membership in R\. Many of the rules given in Figures [l] and [i] depend on 
testing whether some state a is contained in a set R^. Using the delta-encoded 
vector F this can be done by iterating over Fi for k ^ i ^ N +1 and checking if 
any of them contains a state c such that c ^ a. If there is such a state, it blocks 
a, otherwise a G i?^. If fc = 0, we search for c only in Fq. 

Implementation of the rules. The delta-encoded representation F also makes 
[Valid] easy to implement. Checking if R\ = reduces to checking if Fi is 

empty for some i < N. [Unfold] is applied when [Candidate] can no longer yield a 
bad state contained in R'^ . It increases N and inserts an empty set to position N 
in the vector F, thus pushing F^o from position N to N+1. We implemented rules 
[Initialize], [Candidate], [ModelSyn] and [ModelSem] in a straightforward manner. 
Computing predecessors. In the rest of the rules we need to find predecessors 
pre(at) in R^ \ af, or conclude relative inductiveness if no such predecessors 
exist. The implementation in [H] achieves this by using a function solveRelativef) 
which invokes the SAT solver. But solveRelative() also does two important im- 
provements. In case the SAT solver finds a cube of predecessors, it applies ternary 
simulation to expand it further. If the SAT solver concludes relative inductive- 
ness, it extracts information to conclude a generalized clause is inductive relative 
to some level k ^ i. We succeeded to achieve analogous effects in case of Petri 
nets by the following observations. While it is unclear what ternary simulation 
would correspond to for Petri nets, the following lemma shows how to compute 
the most general predecessor along a fixed transition directly. 

Lemma 6. Let a G N" be a state and t = (g, d) G N" x be a transition. 
Then b G prc(at) is a predecessor along t if and only ifh>: max(a — d,g). 

Therefore, to find an clement of pre(at) and _R;[ \ af, we iterate through all 
transitions t = (g, d) and find the one for which max(a — d, g) G \ af. 

If there are no such transitions, then Z'\at is inductive relative to R^. In that 
case, for each transition t = (g, d) the predecessor max(a — d, g) is either blocked 
by a itself, or there is it ^ i and a state Ct G Fi^ such that Cf ^ max(a — d, g). 
We define 

i' :— min{it | i is a transition} , 



where it := iV + 1 for t = (g,d) if max(a — d,g) is blocked by a itself. Then 
i' ^ i and \ a f is inductive relative to Uj, . 

Computing generalizations. The following lemma shows that we can also signif- 
icantly generalize a, i.e. there is a simple way to compute a state a' ^ a such 
that for all transitions t = (d,g), max(a' — d,g) remains blocked either by a' 
itself, or by Cj. 

Lemma 7. Let a,c G N" be states and t — (g,d) e N" x Z"^ be a transition. 

1. Let c < max(a — d,g). Define a" e N" by a" := Cj + dj if gj < cj and 
a'- :— if gj ^ Cj, for j = 1, . . . ,n. Then a" ^ a. Additionally, for each 
a' S N" such that a" ^ a' ^ a, we have c ^ max(a' — d,g). 

2. If ^ d: max(a — d,g), then for each a' G N" such that a' ^ a, if /lo/ds that 
a' ^ max(a' — d,g). 

To continue with the case when the predecessor max(a — d, g) is blocked for 
each transition t = (d, g), we define a" as in Lemma |7] (1) if the predecessor is 
blocked by some state Cj e Fi^ and a" := (0, . . . , 0) if it is blocked by a itself. 
The state a" is defined to be the pointwise maximum of all states a". By Lemma 
[t) predecessors of a" remain blocked by the same states Cj or by a" itself. 

However, a" still does not have to be a valid generalization, because it might 
be in Rq. If that is the case, we take any state c G Fq which blocks a (such a 
state exists because a ^ Rq). Then a' := max(a",c) is a valid generalization: 
a' ^ a and \ a' f is inductive relative to R^, . 

Using this technique, rules [Decide], [Conflict] and [Induction] become easy 
to implement. Note that some additional handling is needed in rules [Conflict] 
and [Induction] when blocking a generalized upward-closed set a'f. If Z'\ a'f 
is inductive relative to R^, for i' < N, we update the vector F by adding a' 
to However, if i' = or i' = iV -I- 1, we add a' to F^/. Additionaly, for 

1 ^ k ^ i' + 1 (or 1 ^ fc ^ z') we remove all states c e Fj. such that a' ^ c. 

One of the optimizations from \E] showed a significant improvement in run- 
ning time. After using the [Conflict] rule, if i' -I- 1 < iV and a set af was blocked 
from R'![i_^_i by adding a generalization a' to Fii^i, we add (a, i' + 2) to the pri- 
ority queue. This way we do not discard the state which we know leads outside 
P'^, but add an obligation to check if its upward-closure can be reached in + 2 
steps. The effect is that traces much longer than N are checked. 

5 Experimental Evaluation 

We have implemented the ICS algorithm in a tool called IIC. Our tool is written 
in C-I--I- and uses the input format of mist2. We evaluated the efficiency of the 
algorithm on a collection of Petri net examples. The goal of the evaluation was 
to compare the performance — both time and space usage — of IIC against other 
implementations of Petri net coverability. 
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Table 1. Experimental results: comparison of running time and memory consumption 
for different coverability algorithms on selected problem instances. The memory con- 
sumption is given in megabytes, and the running time in seconds. In the mcov column, 
the superscripts indicate the version of bfc used means the version Jan 2012 version, 
^ the Feb 2013 version), and the analysis mode C^: combined, '': backward only, 
forward only). We list the best result for all the version/parameter combinations that 
were tried. 



We compare the performance of IIC, using our implementation described 
above, to the following algorithms: EEC |13j and backward search [T], as imple- 
mented by the tool mist^ and the MCOV algorithm [TB] for parameterized mul- 
tithreaded programs as implemented by bfc[^ All experiments were performed 
on identical machines, each having Intel Xeon 2.67 GHz CPUs and 48 GB of 
memory, running Linux 3.2.21 in 64 bit mode. Execution time was limited to 1 
hours, and memory to five gigabytes. 

We used 29 Petri net examples from the mist2 distribution, 46 examples of 
multi-threaded programs from the bfc distribution, and 6 examples from check- 
ing security properties of message-passing programs communicating through un- 
bounded unordered channels (MedXXX examples). We only present a selection 
of the data and focus on examples that took longer than 2 second for at least one 

^ See 'http: //software . imdea. orgZ-pierreganty/ ist .html 
See http: //www. cprover . org/bf c/ 



Problem 


lie 


MCOV 


Instance 


Time Mem 


Time 


Mem 


Uncovcrablc instances 


Conditionals 2 


0.1 3.6 


< 0.1 


5.7'''^ 


RandCAS 2 


< 0.1 2.0 


< 0.1 


3.9^"^ 


Covcrablc instances 


Boop 2 


82.0 287.9 


0.1 


12. 1^'^ 


FuncPtrS 1 


<0.1 1.5 


< 0.1 


3.4^'^ 


FuncPtrS 2 


0.2 12.3 


0.1 


7.9^"^ 


FuncPtr3 3 


28.5 939.1 


3.6 


303.8^" 


DoubleLockl 2 


Timeout 


0.8 


56.7^" 


DoubleLock3 2 


8.0 41.3 


< 0.1 


4.8^'^ 


Lu-fig2 3 


Timeout 


0.1 


10.4^"^ 


Peterson 2 


Timeout 


0.2 


23. O^'' 


PthreadS 3 


132428 468.8 


0.1 


17. O^"^ 


PthreadS 3 




0.2 


49.6^'^ 


SimpleLoop 2 


7.9 6.0 


< 0.1 


4.8^'^ 


Spin2003 2 


4852.2 54.4 


< 0.1 


2 ,.2c 


StackCAS 2 


2.5 1.6 


< 0.1 


3.7^"^ 


StackCAS 3 


5.5 21.7 


< 0.1 


4.4^"^ 


Szymanski 2 


Timeout 


0.4 


26. 7^'^ 



Table 2. Experimental results: comparison between MCOV and IIC on examples de- 
rived from parameterized multithreaded programs. In the mcov column, the super- 
scripts indicate the version of bfc used means the version Jan 2012 version, ^ the 
Feb 2013 version), and the analysis mode C^: combined, backward only, forward 
only). We list the best result for all the version/parameter combinations that were 
tried. 



algorithm. All benchmarks are available at http: //www.mpi-sws .org/-jkloos/| 
[lie- experiments! 

mist2 and MedXXX benchmarks Table [T| show run times and memory usage on 
the mist2 and message-passing program benchmarks. For each row, the column 
in bold shows the winner (time or space) for each instance. It can be seen that 
IIC performs reasonably well on these benchmarks, both in time and in memory 
usage. 

To account for mist2's use of a pooled memory, we estimated its baseline 
usage to 2.5 MB by averaging over all examples that ran in less than 1 second. 

Multithreaded program benchmarks We also ran comparisons with MCOV on a 
set of multithreaded programs distributed with MCOV. For Petri nets derived 
from C programs distributed with MCOV, Table|2]shows that IIC performs well 
on the uncoverable examples but MCOV performs much better on the coverable 
ones. We do not fully understand the reasons for poor performance of IIC for 
the coverable instances. 

In conclusion, the unoptimized implementation of the IIC algorithm is al- 
ready working quite well in comparison to other existing implementations of 
coverability algorithms. Nevertheless, it is obvious that significant further work 
is required to optimize the algorithm. Two main directions that are being con- 
sidered are the use of invariants to prune the search space, and the combination 
of the generalization heuristics from MCOV [TB] with IIC. 
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A Soundness and termination proof 

This appendix contains the proofs of lemmas used in the paper. 

Lemma [T] T/te rules [Unfold], [Induction], [Conflict], [CandidateNondet], anrf [DecideNo 
preserve plj ) - ( [l4| ). 

Proof. If R|(5 1-^- R'lQ' by apphcation of [CandidateNondet] or [DecideNondet], 
we have R = R', so ( [lT| - ( [l4| are preserved trivially. For [Unfold], ( [lT| ) - ( [T3| are 
trivial, and ( [l4| ) holds for i < length R' — 1 by ( [l4| ) on R, and by the condition 
of [Unfold] for i = length R' - 1. 

Finally, the rules [Induction] and [Conflict] require the following technical 
observation about Gen. 

Claim: If R satisfies (|ll]) - (|l4| and 6 G Gen,„(a), then R[i?| ^ Rj \ 
6t]»=i satisfies (|ll]) - (|l4|. 

To prove the claims, we show the following: 

1. For 1 < k <i, I C rI\ bt (part of 

2. post(i?t_i \ bt) ^ Rj \ a' t- ioT I < i < m (Part of 

3. post(i?i) C i?f \ bt- case i = 1) 

4. post(i?i^_i \ bt) ^ Rii^, case i = m) 

All other cases as well as ( [l3| and ( [T4| are trivial. 

1. By the definition of Gen, we have 6tn/ = 0. Thus, since / C i?^ by ( [II] ), 
/ci?^\6t. 

2. Let i be given with 1 < i < m, and y G post(i?j'_;^ \ 5t). We need to show 
that y £ Ri\ fof- 

By choice of y, there is an x €E Ri_i \ such that x y. By repeated 
application of (|l3|, we find that x e i?^„_;^\6t- Thus, y e post(i?j'„_i\6t) C 

Thus, yeRj\bt. 

3. Let y' e post(i?;^) = post(/|). We need to show that y' & R{\b^. 

There is & x' G 1 1 such that x' — >■ y'. Due to the choice of x' , there is an 
X £ I with a; ^ x'. By well-structuredness, there is also a y such that a; — > y 
and ?/ ^ y'. Since i?| is downward-closed, y e 

By (|I3|, we find that x £ R\, and by (1), x £ r\ \ bt- Thus, by (2), 
y £R^\bt- But this implies y ^ bt, so y £ r\ \ bt- Since i?^ \ bt is 
downward- closed, we hence have y' £ R\\bt- 

4. post(i?i_i \bt)C post(i?i_i) C by 

□ 

The next lemma defines the structure of the priority queues used in the 
algorithm. 



Lemma |2] Let Init H'* R \ Q. If Q =^ 0, then for every {a,i) e Q, there is a 
path from a to some b E S \ . 



Proof. By induction on the application of rules. For the base case, the application 
of [Initialize], the claim trivially holds. 

For the induction step, assume the claim holds for some sequence of rule 
applications such that Init h- >* R | Q. We only need to consider [CandidateNondet] 
and [DecideNondet], since they are the only rules which add elements on Q. 

If [CandidateNondet] is applied, it will enqueue (a, N) such that a g R^\P^ C 
E \ P^. If [DecideNondet] is applied, then minQ = {a,i), i > and {b',i — 1) 
such that b' E pre(at) is enqueued. The latter implies there is a' ^ a such that 
b' ^ a' . By the induction hypothesis, there is a path a— J'* b E S\P^, therefore 
by well-structuredness there is b" ^ b such that a' — >■* b" . Combining the facts 
we conclude b' ^* b" e S\P^. □ 

Lemma 8 (Disjointness of Pj and [/,). When (|lTJ - ^ holdforK, RN-i-i(^ 
U^^ forO <i < N -1. 

Proof. We prove the statement by induction over i. 



i > 0: By induction, Rn-i H Ui^i = 0. Now, let x € Ui. Then by definition of 
Ui, there are two cases: 

X e f7,_i: Then x ^ Since Rn_,_i C Rn_, by x ^ i?jv-j-i- 

X G pre(C/i_i): Then there is a y e t^i-i such that a; — > y. In particular, 
y e post(a:). Since y G Ui-i, we also have y ^ R^-i- ^^'^ 
z e R\^_^_^ ^ post(z) C post(i?j^_-_^), this implies x ^ R^_.-_^. 
Thus, in either CcLSGj X 

^ Rn-z-v This implies i?jv-j-i n C/i = 0. 



Lemma 9. The sets Di satisfy the following properties: 

1. DaC S\P^ 

2. A+i C pre(A) \ 

3. Whenever r\^\P^ ^ 0, th ere exists an x G n Dq 

4-. For all a G Di, i/pre(at) H R\^_^_i ^ 0, there exists an element x such 

that X e pre(at) n A+i H i?jv-z-i 
5. Di is finite for all i > 

Proof. Statements 1) and 2) follow trivially. 

To prove (3), assume that y S R'^ \ P^ . Then there is a minimal element x € 
min(i?jY \ P^). But since is downward-closed, min(i?jy \ P^) C min(i7\ P^). 
Thus, X e min(Z' \ P^) = Dq. x G R}^ is clear. 



i = 0: By (|l4|. 



Rn-1-o nUo = Rn-1 n{S \ P^) = 0. 



□ 



To show (4), let a e Di be given, and assume that y E pre(at) H R^_^_^. 
Again, there is a minimal element x e pre(at) n -Rj^-i-i- Lemmajs] x ^ Ui. 
Thus, X G Di+i- 

Finally, (5) follows by induction on i: For i = 0, the statement is clear because 
of the finiteness of min. For i > 0, the set ZJ^-i is finite by induction hypothesis. 
Thus, the union {Jg^^jj. ^ min(at) is a finite union over finite sets, thus Di is a 
subset of a finite set and hence finite. □ 

Lemma 10. Given a WSTS (Z", /,—>■, a downward- closed set and a se- 
quence of sets Di, if Init i— >■* R|<5, then: 

1. For all i > \ , R\ = S \ {r^^i, . . . , ri,„i. }, where for all j — 1, . . . , mi, there is 
a k > and a d G D^. such that ri j < d. 

2. For all (a, z) E Q, a E Dj^^i. 

Proof. It is again sufficient to show that / J, |0 has this property, and that all rel- 
evant rules preserve it. Since / J, |0 satisfies the requirements vacuously, assume 
that R|(5 i-> R'lQ'. By inspection, the following five rules need to be considered: 

[Unfold] Trivial. 

[Induction] Since Q = Q', the second part is trivial. 

For the first part, let b S Geni{rij) for given i,j. By the definition of Gen, 
b < fi.j, and by induction hypothesis, rij < d for some d G -Dfc, k > Q. By 
transitivity, b < d. Furthermore, 



T3'l _ 



^\Ki,...,r,^„,Jt\H l<i<i + l 
S\{rti, . ■ ■ ,ri^rru}\ otherwise 

^ {S\{rti,...,ri^ranb}\ l<l<i + l 
\S\ {ri.i, . . . , rt^rnt } t otherwise 

So, in either case, R'\ is of the required form. 
[Candidate] Trivial. 
[Decide] Trivial. 

[Conflict] Since Q' C Q, the second part is trivial. For the first part, we have 
b e Geni(a) for some a E D^, k > 0. Thus, 6 < a by the definition of Gen. 
The rest of the proof is analogous to the case of [Induction]. 

□ 

Lemma 11 (Progress). If Init i-^* R|Q, then either 'R\Q H> BJ\Q' , or R|(3 H> 
valid, or RjQ >-> invalid. 

Proof. Let R|Q be given. By case analysis, we will show that some rule will 
always be applicable to it. 

If Q = 0, there are two cases: 

- < C PK 

R|Q = R|0 R . IJ\0 by applying [Unfold]. 



— < 2 p^- 

Then, by choice of Do, there is some x £ D Dq. Thus, R\Q = R|0 i-^ 
R|(a;,iV) by applying [Candidate]. 

If Q 7^ is not empty, there are four cases: 

— (a, 0) E Q for some a E S. 

RjQ H> invalid by applying [ModelSyn]. 

— (a, i) e Q for some a & S, i > with afn/ 7^ 0. 
R|(5 >-> invalid by applying [ModelSem]. 

— minQ = (a,*) for some a G Z", i > with pre(at) H 7^ 0- 

By choice of D^^i^i, there is also a 6 e -DAr_i+i n Rj_i n pre(at), so 
R|Q >-> R|Q.Push((6, i - 1)) by applying [Decide]. 

— None of the above. 

In this case, let {a,i) = minQ. We have i > 0, afn/ = and pre(at) H 

4-1 = 0- 

Claim: a e Geni(a). 

Proof: We certainly have a < a, and by the statements above, afn/ = 0. 
Also, by Lemma 2 a G R^. It remains to show that post(i?^_j^ \ at) ^ 

Thus, let y £ post(i?j'_^ \ af). Then there is an a; e \ af such that 

x-i'y. 

Suppose now that ?/ G af - Then x £ pre(at), so a; G pre(at) n-R^_;^ — 
- contradiction. 
Thus, a £ Geni(a). 

Thus, R|Q ^ (R[i?|; ^ i?t \ at]l=i)l(Q-POPMiN) by applying [Conflict]. 

□ 

Proposition [l] [Maximal finite sequences] Let Init = (Tq ci i— > • • • i— > be 

a maximal sequence of states, i.e., a sequence such that there is no a' such that 
UK ^ cr'. Then ax = valid or gk = invalid. 

Proof. (Tk can have four values, Init, valid, invalid or RIQ. 
If aK = valid or ax — invalid. 
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If aK = R|Q, the sequence is not maximal by Lemma 
If ax = Init, ax ^ I -l |0, by [Initialize], hence the sequence is not maximal. 

□ 

Lemma |3]/<s is a well-founded quasi-order.] The relation <s is a well-founded 
strict quasi- ordering on the set (T>)* x Q, where V is a set of downward-closed 
sets over S, and Q denotes the set of priority queues over S xN. 

Proof. The following statements are easy to check: 

— Cjv is a partial order, and Cat is its strict part. 

— C is a partial order, and IZ is its strict part. 



— Let <„:=C xiox < denote the lexicographical product of C and the order < 
on the natural numbers. Then <„ is a partial order. 

— Let : {Vy X Q ^ (V)* x N,R|Q ^ (R, Ac„gth(R)(Q))- 

Then (j){R\Q) <„ (/-(R'lQ') if R|Q <s R'lQ', and (j){R\Q) <„ ^(R'lQ') if 
R\Q <, R'\Q'. 

— If <s is a quasi-order, <s is the corresponding strict quasi-order. 
In the following, we will use these facts to establish: 

1. C is well-founded, 

2. <n is well-founded, 

3. <s is a quasi-order, 

4. <s is well-founded. 

C is well-founded: Let Ri □ R2 3 • • • be a descending chain of vectors. We 
need to show that the chain will eventually stabilize, i.e., there is an i such 
that for all j > i, Rj = Ri- 

As a first observation, by definition of C, length R^ ~ length Rj+i for all 
j > 0, i.e., there is an N such that length Rj = N for all j. 
Suppose that no such i exists. Then for all j, Rj+i Rj. By definition of 
□iv, this means that for every j, there is a kj such that Rj i^. 2 -^j+i kf 
Furthermore, since kj G {1, ■ . . N} for all j, there must be some /c G {1, . . . , TV} 
such that kj = k for infinitely many j by the pigeonhole principle. 
Define a sequence jt such that jo = 0, and for alH > 0, R^^ j. = R^^^^^i k 2 
J,. Such a sequence exists because for every j, either R^ f, = R^^i fc, or 
R^ k ^ ^j+i k assumptions. 

Thus, we have an infinite descending chain Rj^ j. D Rj^ ^ 2 ■ ■ • of downward- 
closed sets. Define Cj := S \ R^^ ^. This is an infinite strictly ascending 

chain of upward-closed sets, i.e., Cq C cl C . . .. This is a contradiction, 
since there are now infinite strictly ascending chains of upward-closed sets, 
cf. [1^, Lemma 3.4. 

<n is well-founded: Assume that s is an infinite descending sequence on V* x 
N. Denote by si the sequence of first components and by S2 the sequence 
of second components, i.e., s(i) = (si(i), S2(i)). Since C is a well-founded 
partial order, there is some j such that s(fc) = s{j) for all k > j. Thus, for 
s{k) > s{£) for all j < k < £, which is impossible, since < is well-founded. 

<s is a quasi-order: Refiexivity is trivial. Consider Ri jQi <s R2IQ2 <s R-alQa- 
By definition, Ri C R2 C R3, hence Ri C R3. Additionally, due to the 
definition of C, there is an N such that N — length Ri = length R2 = 
length R3. 

There are three cases to consider: 

1. Ri = R2 = R3. In this case, ^iength(_Ri)('5l) < ^length(_R.2)('32) < Aongth(_R.3) 

By the above observation, this means that £n{Qi) < £n{Q2) < £n{Q3), 

so Aength(i?i)(Ql) = ^n{Qi) < ^N^Qa) = ^length(fl3) (Qs) • 

2. Ri ^ R2 7^ R3. Since C is a partial order, this implies in particular that 
Ri C R2 C R3, thus Ri IZ R3 and hence Ri 7^ R3. 



3. Ri 7^ R2 = R3 or Ri R2 7^ R3. In either case, Ri 7^ R3. 
<s is well-founded: Let RilQi >s R2IQ2 >s and set pi := 0(Ri|(5i). 
Then Pi >n P2 >n ■ ■ ■ ■ 

Since >„ is well-founded, there is an i such that for all j > i, pj = pj^i. In 
particular, pj Pj+i- Thus, Rj Rj+i for all j > i. 

□ 

Lemma 12. //R|Q n> R'|Q' as a result of applying the [Candidate], [Decide], 
[Conflict], or [Induction] rule, then R|(5 >s R'jQ'- 

Proof. Case analysis on the applied rule. 

[Candidate]: In this case, Q = 0, R = R' and Q' = {{a,N)} for some a E E. 

Thus, £n{Q) ^N + l> £n{Q') = N. 
[Decide]: In this case, minQ — {a,i), niinQ' = {b,i — 1) for some a,b Cz S and 

i > 0. Also, R = R'. 

Thus, R = R' and ^Ar(g) = i > i - 1 = ^w(Q')- 
[Conflict]: In this case, R' = R[Ri Rt\ 6t]fe=i for some i > 1, b e Gen,{a), 
a £ S. By definition of Gen, we have in particular that b £ Rj, and b ^ R'\. 



[Induction]: Analogous to [Conflict 



Since furthermore i?'^ C i?j for all j < N , we have R \Z R^. 



□ 



Proposition [2] [Infinite sequence condition] For every infinite sequence Init 1— >■ 
(7i I— > (72 '"^ ■ ■ ■ ) i/iere are infinitely many i such that 1—^ (Ji+i by applying the 
rule [Unfold]. 

Proof. Let Init H> (Ti i-> CT2 • ■ ■ be an infinite sequence of states. Since valid 
and invalid have no successor states, all ai must be of the form R^IQ;. Thus, only 
the following rules can be applied to get from Ci to (Ti+i: [Unfold], [Candidate], 
[Conflict], [Decide] and [Induction]. 

Suppose that there is some K such that for all i > K , the transition ai i— > ct^+i 
is not due to [Unfold]. 

But then, the transition is due to one of [Candidate], [Conflict], [Decide] and 
[Induction]. By Lemma 12 this means that ctk >s f^K+i >s <^k+2 >s ■ ■ • , i-e., 
from K on, the ai form a >s-descending chain. 

Since the ai form an infinite sequence, this implies that the sequence ctx+o, crpc^i , 
forms an infinite >s-chain. But by Lemma |3] <s is wellfounded, so no infinite 
>s-chains exist - contradiction. 

Thus, there must be infinitely many i such that cr^ 1— > (Ti-|-i using [Unfold]. □ 

Lemma |4]// there is a path from I to S \ P^ of length k, the rule [Unfold] can 
be applied at most k times: for every sequence Init i— >■ ai 1— >* cr„, there are at 
most k different values for i such that cji i-^ (Ti+i using the [Unfold] rule. 

Proof. Let Init i— > ui i— >* uk be a sequence of rule applications in which has 
occured N = k times, i.e., there are ii < ■ ■ ■ < iu such that Ui. 1— > (Ti +i via 
[Unfold]. 



We wish to show that there is no <j' such that aK H> a' via [Unfold]. 

If (Jk 7^ R-IQ, the statement follows because valid and invalid have no succes- 
sors. Thus, consider the case aK — R.|Q- 

Let So, . . . , Sat be a path from / to \ , i.e., sq I, E S \ and 
Si — > Si+i for i = 0, . . . , iV — 1. Then, in particular, Si G R\ for i = 1, . . . , by 
@. 

Thus, the pre-condition for [Unfold] is not fulfilled, since Si e i?]^ \ P"^. □ 

Lemma 13. For i > L, Di ~ . This implies that the set lJj>o Di is finite. 

Proof. We first show a small auxiliary fact: 

Claim: Dj C U^^ for all j > 0. 
Proof: By induction on j. 

- DoCS\P^ = [}\. 

— -Dj+i C pre(I?j t) ^ pre(U^j) C U^j+i, using the induction hypopthesis 
in the second step. 

Now, let i > L. By Lemma [9] statement (2) and the above claim, we have 
A C U^j \ U^i^i = W^L \ U^L = 0, since j = U^'l for all j > L by Lemma 
3.4 and the discussion in Paragraph 4 of [Tj. 

Since for all i > L, Di = 0, it is sufficient to show that Di is finite for 
z = 0, L. This is guaranteed by Lemma |9] statement (5). □ 

Lemma |6]Lef a e N" be a state and t — (g, d) e N" x Z" be a transition. Then 
b € pre(at) is a predecessor along t if and only ifh>: max(a — d,g). 

Proof. Suppose b e pre(at) is a predecessor along t. Then b g and b-|-d )^ a. 
Thus, b >: max(a — d,g). For the other direction, due to well-structuredness it 
is enough to show max(a — d, g) itself is a predecessor along t. But this holds 
since max(a — d, g) ^ g and max(a — d, g) -I- d ^ (a — d) -f d = a. □ 

Lemma [t] Let a, c e N" be states and t = (g, d) G N" x Z" be a transition. 

1. Let c < max(a — d,g). Define a" G N" by a" := Cj + dj if gj < Cj and 
a" := if gj ^ Cj, for j — 1, . . . ,ri. Then a" ^ a. Additionally, for each 
a' G N" such that a" ^ a' ^ a, we have c ^ max(a' — d,g). 

^- If ^ di niax(a — d,g), then for each a' G N" such that a' ^ a, it holds that 
a' ^ max(a' — d,g). 

Proof. For the first part, consider coordinate j for 1 ^ j ^ rt. If gj ^ cj, then 
a'j = ^ Qj and cj ^ gj ^ max(a^ — dj,gj). 

On the other hand, suppose gj < Cj. First note that max(aj — dj, gj) = aj^dj 
since gj < Cj ^ max(aj — dj,gj). Thus, 

a'j — Cj + dj ^ max(aj — dj, gj) + dj — (oj — dj) + dj = aj 

and 

Cj — a'j — dj ^ a'j — dj ^ max(a^- — dj ,gj). 



For part (2), consider coordinate j for 1 < j < n. If aj — dj ^ gj, then 
Uj ^ max(aj — dj,gj) = aj — dj . 
Therefore dj < 0, implying 

a'j ^ a'j — dj ^ max{a'j — dj,gj) . 
On the other hand, if aj — dj < gj, then 

a'j ^ Qj ^ max(aj — dj,gj) = gj ^ max(aj- — dj,gj) . 

□ 



